ISO 27001 2022 Update
ISO/IEC 27001:2022 and ISO/IEC 27002:2022
The ISO 27001 information security management standard and its code of practice ISO 27002 were last updated 12 years ago.
A new version of the ISO 27002 standard has now been published (February 2022) and a revised iteration of the ISO 27001 standard has been published on the 25th October 2022.
What do we know about the changes to ISO 27001 and ISO 27002 so far, and how these changes affect organisations that are certified or planning to certify to ISO 27001 in 2022?
What’s changing in the new version of the ISO 27001 standard?
The term “code of practice” has been dropped from the title of the updated ISO 27002 standard. This now better reflects its purpose as a source of guidance of the information security controls within ISO 27001 Annex A.
The new version of the standard itself will be significantly longer than the 2013 version, and the controls themselves have been reordered and updated, yes they’ve gone and changed all the controls again. Some controls have been merged or removed, and some new controls have been added to bring the standard in line with new developments in technology, such as cloud hosting:
ISO 27002:2022 lists 93 controls versus ISO 27002:2013’s 114 controls.
The updated version of the controls are now grouped into 4 ‘themes’ rather than the 14 clauses that we all know and love so well.
The 4 new themes are:
Physical (14 controls in this section)
Organisational (37 controls in this section)
Technological (34 controls in this section)
People (8 controls in this section)
The completely new controls are:
Information security for use of cloud services
ICT readiness for business continuity
Threat intelligence
Web filtering
Monitoring activities
Physical security monitoring
Configuration management
Data masking
Data leakage prevention
Information deletion
Secure coding
All the controls will now have five types of attribute to make them much easier to categorise:
Control type (preventive, detective, corrective)
Information security properties (confidentiality, integrity, availability)
Cybersecurity concepts (identify, protect, detect, respond, recover)
Security domains (governance and ecosystem, protection, defence, resilience)
Operational capabilities (governance, asset management, etc.)
How will the update to ISO 27001 affect organisations implementing ISO 27001?
As part of the risk management process, ISO 27001:2013 allows you to select controls from any other standards and frameworks, as long as you compare them with Annex A, document the reasons for your choices and any additional controls.
Assuming the 2022 version of ISO 27001 is broadly similar to the ISO 27001 2013 version of the standard, there will be a new version of Annex A once the new standard is published. This will reflect the Annex A controls in the new version of ISO 27002 and provide further guidance for how you go about implementing the controls.
Until the new version of ISO 27001 is published, your existing SoA (Statement of Applicability) must refer to Annex A of ISO 27001:2013 and the controls in ISO 27002:2022 will be an alternative control set, which you will need to compare with the existing Annex A just as you would need to do with any other alternative control set and also document these within your SoA.
ISO 27002:2022 will apparently have an annex that compares the new control set with the 2013 iteration of the Standard, so this exercise should be relatively straightforward.
What does this mean for organisations that are already certified to ISO 27001:2013?
In the past there has been a two year transition period for ISO 27001 certified organisations to revise their information security management system to conform to a new version of a standard, so there will be plenty of time for organisations with existing ISO 27001 certification to make the required changes.
However, it’s not advisable to leave the updates to the new standard until the last minute to meet the requirements of the new version of the standard, so when you renew your certification during the transition period, you should factor in the new control set.
One advantage of implementing the new controls is that, because they are identifiable by attribute, it is easier to focus on your control selections and hopefully making your ISMS (information security management system) easier to implement and manage.
Should organisations who are planning to certify to ISO 27001 wait until the new ISO standards are published?
The simple answer is no, organisations will lose nothing by implementing an ISMS that conforms to ISO 27001:2013 and uses the existing Annex A control set, whether for direct implementation or as a reference against other controls.
Waiting until the new version of ISO 27001 standard is published will likely leave you at greater risk from external and internal threats.
How can Romano Security Consulting help with ISO 27001?
If you are thinking of updating your existing ISO 27001 ISMS to the new ISO 27001:2022 standard then we can help out and decipher the new requirements or if you are starting from scratch and looking at implementing ISO 27001:2022 then we’d be happy to help your organisation through the ISO 27001 certification process, for more info please click here to see our ISO 27001 webpage or contact us today.